CVE-2021-26117
HIGHApache ActiveMQ 5.15.0-5.15.13 and 5.16.0 - Improper Authentication via LDAP Anonymous Bind
Title source: llmDescription
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.
References (21)
Core 21
Core References
Mailing List mailing-list
https://lists.apache.org/thread.html/rffa5cd05d01c4c9853b17f3004d80ea6eb8856c422a8545c5f79b1a6%40%3Ccommits.activemq.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/re1b98da90a5f2e1c2e2d50e31c12e2578d61fe01c0737f9d0bd8de99%40%3Cannounce.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2021/03/msg00005.html
Mailing List mailing-list
https://lists.apache.org/thread.html/r70389648227317bdadcdecbd9f238571a6047469d156bd72bb0ca2f7%40%3Cgitbox.activemq.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r5899ece90bcae5805ad6142fdb05c58595cff19cb2e98cc58a91f55b%40%3Cgitbox.activemq.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rec93794f8aeddf8a5f1a643d264b4e66b933f06fd72a38f31448f0ac%40%3Cgitbox.activemq.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rd75600cee29cb248d548edcf6338fe296466d63a69e2ed0afc439ec7%40%3Cissues.activemq.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/raea451de09baed76950d6a60cc4bb1b74476c505e03205a3c68c9808%40%3Cissues.activemq.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r110cacfa754471361234965ffe851a046e302ff2693b055f49f47b02%40%3Cissues.activemq.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r22cdc0fb45e223ac92bc2ceff7af92f1193dfc614c8b248534456229%40%3Cissues.activemq.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r3341d96d8f956e878fb7b463b08d57ca1d58fec9c970aee929b58e0d%40%3Cissues.activemq.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r519bfafd67091d0b91243efcb1c49b1eea27321355ba5594f679277d%40%3Cissues.activemq.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rd05b1c9d61dbd220664d559aa0e2b55e5830f006a09e82057f3f7863%40%3Cissues.activemq.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/ra255ddfc8b613b80e9fa22ff3e106168b245f38a22316bfb54d21159%40%3Cissues.activemq.apache.org%3E
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210304-0008/
Patch, Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Not Applicable, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Various Sources
https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3cCAH+vQmMeUEiKN4wYX9nLBbqmFZFPXqajNvBKmzb2V8QZANcSTA%40mail.gmail.com%3e
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
Scores
CVSS v3
7.5
EPSS
0.0994
EPSS Percentile
93.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-287
Status
published
Products (11)
apache/activemq
5.15.0 - 5.15.14
apache/activemq_artemis
< 2.16.0
debian/debian_linux
9.0
netapp/oncommand_workflow_automation
oracle/communications_element_manager
8.2.0 - 8.2.4.0
oracle/communications_session_report_manager
8.2.0 - 8.2.2
oracle/communications_session_route_manager
8.0.0 - 8.2.2
oracle/flexcube_private_banking
12.0.0
oracle/flexcube_private_banking
12.1.0
org.apache.activemq/activemq-parent
5.16.0 - 5.16.1Maven
... and 1 more
Published
Jan 27, 2021
Tracked Since
Feb 18, 2026